package preparedStatement;


import util.jdbc_utils;

import java.sql.*;


//存在SQL注入漏洞
public class solute_injection {
    public static void main(String[] args) throws SQLException {

        //login("赵八","1233");  //正常登录

        //相当于 select * from `users` where `NAME` =''or'1=1' AND `PASSWORD` ='' or '1=1'
        login("'' or '1=1'","''or '1=1'");

    }


    //登录业务
    public static void login(String username,String password) throws SQLException {

        Connection connection = jdbc_utils.get_connection();

        // PreparedStatement 防止SQL注入的本质：把传递进来的参数当做字符
        //假设其中存在转义字符，比如 “ '' ” 会被直接转义

        String sql ="select * from `users` where `name` =? and `password` =?";

        PreparedStatement statement = connection.prepareStatement(sql);

        statement.setString(1,username);
        statement.setString(2,password);

        ResultSet resultSet = statement.executeQuery();



        // 正常可以登录
        if (resultSet.next()){
            System.out.println(resultSet.getObject("id"));
            System.out.println(resultSet.getObject("NAME"));
            System.out.println(resultSet.getObject("PASSWORD"));
            System.out.println(resultSet.getObject("email"));
            System.out.println(resultSet.getObject("birthday"));

            System.out.println("--------------------------------------------------------------");

        }else{
            System.out.println("fail");
        }





        //关闭close 释放连接
        jdbc_utils.release(connection,statement,null);


    }
}
